Replace hardcoded expiration date '2025-12-31T23:59' with dynamically
generated future date. The tests were failing with "Expiration date
must be in the future" validation error since it's now 2026.
Added getFutureExpirationDate() helper that returns a date 1 year
from now in the required datetime-local format.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* test(web): migrate logout Cypress test to Playwright
Uses unique temporary users per test to avoid session invalidation
conflicts when running in parallel. Quay's signout endpoint invalidates
all sessions for a user, which would break parallel tests sharing users.
Also documents the session-destructive test pattern in MIGRATION.md.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): migrate mirroring Cypress test to Playwright
Migrates web/cypress/e2e/mirroring.cy.ts to Playwright following the
MIGRATION.md guide. Consolidates 18 Cypress tests into 5 Playwright
tests using real API calls instead of mocks.
Changes:
- Add mirroring API utilities to client.ts (changeRepositoryState,
createMirrorConfig, getMirrorConfig, updateMirrorConfig,
triggerMirrorSync, cancelMirrorSync)
- Create mirroring.spec.ts with 5 consolidated tests covering:
- State warning and form visibility
- New mirror configuration lifecycle
- Existing mirror configuration management
- Sync operations
- Error handling (only mock used for 400 error scenario)
- Update MIGRATION.md checklist (8/54, 15%)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): add TestApi fixture with auto-cleanup for Playwright tests
Introduce a TestApi class that wraps ApiClient and automatically tracks
created resources for cleanup after each test. This eliminates the need
for manual beforeEach/afterEach cleanup patterns and ensures resources
are always cleaned up even when tests fail.
Changes:
- Add TestApi class to fixtures.ts with methods for creating orgs,
repos, teams, robots, and prototypes with auto-cleanup
- Add api and superuserApi fixtures that provide TestApi instances
- Migrate all committed Playwright tests to use the new api fixture
- Update MIGRATION.md with documentation for the new pattern
The api fixture provides:
- api.organization(prefix?) - creates org with unique name
- api.repository(namespace?, prefix?, visibility?) - creates repo
- api.team(orgName, prefix?, role?) - creates team
- api.robot(orgName, prefix?, description?) - creates robot
- api.prototype(orgName, role, delegate, activatingUser?) - creates default permission
- api.setMirrorState(namespace, repoName) - sets repo to MIRROR state
- api.raw - access underlying ApiClient for non-tracked operations
Resources are cleaned up in reverse order (LIFO) after each test.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): remove migrated tests
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* test(web): auto-skip Playwright tests based on @feature: tags
Adds an auto-fixture to fixtures.ts that automatically skips tests
when their @feature:X tags reference disabled Quay features. This
eliminates duplication between tags and manual test.skip() calls.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(web): set axios baseURL at module level for all routes (PROJQUAY-0000)
Previously axios baseURL was only set inside StandaloneMain component,
causing requests from /signin and other auth routes to go to the wrong
URL (localhost:9000 instead of localhost:8080).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): use cy.session() for Cypress authentication
Replace manual CSRF token + loginByCSRF pattern with cy.session()
for proper session handling. Fixes race condition where React app
made API calls before Cypress login completed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): fix notification drawer test flakiness with toPass polling
Use Playwright's toPass to poll for notification appearance instead of
a single assertion. The backend may take time to process push
notifications, so reload and retry until the notification is visible.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* test(web): migrate notification-drawer Cypress test to Playwright
Convert the notification-drawer.cy.ts test from mocked API responses to
real API interactions. The test now creates a repository, configures a
quay_notification for repo_push events, pushes an image to trigger the
notification, then validates the drawer UI behavior (open, read, delete).
Adds createRepositoryNotification method to the Playwright API client.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): migrate default-permissions Cypress test to Playwright
- Add robot and prototype API methods to test client
- Fix undefined allMembers bug in CreateTeamWizard.tsx
- Fix missing return value in AddTeamMember.tsx setDeletedTeamMembers
- Tests run in parallel with isolated state per test
Co-authored-by: Claude <noreply@anthropic.com>
* test(web): migrate external-scripts Cypress test to Playwright
Co-authored-by: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* test(web): consolidate Playwright API utils into ApiClient class
Migrate from individual function-based API utilities to a unified
ApiClient class with CSRF token caching. This eliminates redundant
token requests when tests make multiple API calls.
Key changes:
- Create ApiClient class with cached CSRF token
- Add signIn() method for authentication flows
- Update all test files to use ApiClient instances
- Remove individual api/csrf.ts, organization.ts, repository.ts,
team.ts, user.ts files in favor of single client.ts
- Update fixtures.ts to use ApiClient for login
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* test(web): run playwright on small machine for chrome only
while we are migrating, swap things around to save time and money
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* test(web): migrate theme-switcher tests from Cypress to Playwright
Replace Cypress theme-switcher.cy.ts with Playwright equivalent.
Uses real API calls instead of mocked intercepts per migration guide.
Tests theme toggle visibility, persistence, and browser color scheme
detection via Playwright's emulateMedia API.
- Add data-testid to user-menu-toggle for stable selector
- Create playwright/e2e/ui/theme-switcher.spec.ts with 3 test cases
- Update MIGRATION.md checklist (2/54 migrated)
- Delete original Cypress test file
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): migrate breadcrumbs tests from Cypress to Playwright
Add organization, team, and container API utilities to support the
breadcrumbs test migration. Tests cover:
- List pages (no breadcrumbs)
- Organization, repository, tag, and team page breadcrumbs
- Edge cases with same-name org/repo/team combinations
The container utility supports both podman and docker for pushing
test images when testing tag breadcrumbs.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(web): migrate overview tests from Cypress to Playwright
Migrates web/cypress/e2e/overview.cy.ts to Playwright with 4 tests:
- Expandable dropdowns show content
- External links navigate correctly
- Tabs switch content correctly
- Purchase plans dropdown shows pricing options
Uses getByRole for tab selection instead of PatternFly-generated IDs.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* test(ci): ignore test files for web preview
no need in deploying the web preview if only tests or docs are modified
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* chore: add Playwright e2e test infrastructure
Add Playwright test framework with custom fixtures for authenticated
contexts, API utilities for test data management, and repository
delete test as initial migration from Cypress.
Key additions:
- global-setup.ts: Creates admin, testuser, readonly test users
- fixtures.ts: Pre-authenticated page/request fixtures by role
- utils/api.ts: CRUD utilities for repositories
- MIGRATION.md: Guide for migrating Cypress tests to Playwright
- repository-delete.spec.ts: First migrated test with full cleanup
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: update web/.dockerignore
exclude tests from being included in the intermediate build - this
should improve caching when only tests change
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: add pre-commit check to block new cypress tests
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
This commit adds a cyan "Global Readonly Superuser" label to identify
global readonly superusers in the Organizations list, making it easier
for administrators to distinguish them from regular superusers.
Backend change: Updated User.to_dict() to include global_readonly_super_user
property in the /api/v1/superuser/users/ API response.
Frontend changes: Propagated the property through the data flow and added
label rendering with cyan color to visually distinguish from regular
superusers (blue).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Build IDs are UUIDs displayed as hex strings. The previous localeCompare
sorting treated them lexicographically, causing incorrect sort order.
Now detects hex/UUID patterns and sorts by parsing the first 8 hex
digits numerically.
Co-authored-by: Claude <noreply@anthropic.com>
ClipboardCopy children were passed as JSX expressions which creates an
array of React nodes. PatternFly's ClipboardCopy may join array children
with commas when extracting text, causing pull commands like:
"docker pull ,hostname,/,org,/,repo,:,tag"
Using template literals ensures a single string child is passed,
preventing the comma issue.
Co-authored-by: Claude <noreply@anthropic.com>
Use mutateAsync instead of mutate so Promise errors propagate to the
calling code. Previously, mutate() was fire-and-forget, causing success
notifications even when the API returned 400 errors.
Remove duplicate alert notification - error is shown inline in the modal.
Co-authored-by: Claude <noreply@anthropic.com>
Remove reCAPTCHA integration from the password recovery flow
as the feature has been deprecated.
Changes:
- Delete ReCaptcha component
- Remove recaptcha token handling from Signin page
- Simplify UsePasswordRecovery hook
- Remove react-google-recaptcha dependencies
- Clean up test fixtures and CSS
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
The formatSize() function used a falsy check which treated 0 as invalid,
returning "N/A" instead of formatting it. Now 0 displays as "0.00 KiB"
matching the legacy UI behavior.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
when using OIDC authentication and the user has no password set, display
an info alert with a "Set password" button to guide users through setting
up their CLI password
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* fix(web): enable user self-service email changes when FEATURE_MAILING enabled (PROJQUAY-9879)
This commit fixes the issue where users received 401 Unauthorized errors
when attempting to update their email address in the new React UI when
FEATURE_MAILING is enabled.
Root cause: ChangeEmailModal was using the superuser-only endpoint
/api/v1/superuser/users/{username}, which regular users cannot access.
Changes:
- Added useChangeEmail hook in UseCurrentUser.ts that calls the correct
user self-service endpoint /api/v1/user/ for email updates
- Modified ChangeEmailModal to support dual modes (superuser vs user)
with isSuperuserMode prop for backward compatibility
- Updated GeneralSettings to display email as clickable link when
FEATURE_MAILING is enabled, opening the modal for email changes
- Pre-fill modal with current email address for better UX
- Added validation to prevent submitting the same email address
- Added 8 comprehensive Cypress e2e tests covering email change flows
The fix implements the proper email verification workflow where users
receive a verification email and must confirm before the change is applied.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fixing tests
* resolving coderabbit suggestion
---------
Co-authored-by: Claude <noreply@anthropic.com>
Global readonly superusers could click Create Message and Service Key
buttons which then failed with 403 errors. These buttons are now disabled
using the existing useSuperuserPermissions hook's canModify flag.
Co-authored-by: Claude <noreply@anthropic.com>
The settings page showed "Organization" labels and helper text even
when viewing a user namespace. Changed to conditionally display
"Username" for users and "Organization" for organizations.
Co-authored-by: Claude <noreply@anthropic.com>
Normal users couldn't see their own namespace quota in the Organizations
list Size column. The backend already returns quota_report in /api/v1/user/
but the frontend wasn't using it. Added fallback to use current user's
quota_report when superuser data isn't available.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
Previously, all errors on the Organizations page showed "Org deletion failed"
as the modal title, even for unrelated operations like registry size
calculation. This was confusing for Global Readonly Superusers who saw
"Org deletion failed" when trying to calculate registry size.
Changes:
- Separated error states in OrganizationsList.tsx (deletionErr, registryCalcErr)
- Added separate ErrorModal for registry calculation with correct title
- Fixed RepositoriesList.tsx ErrorModal title to "Repository deletion failed"
- Added Cypress test to verify correct error modal title
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
The UI was showing the "Enable OIDC Team Sync" button even when
FEATURE_TEAM_SYNCING was disabled in the config. Added check for
config?.features?.TEAM_SYNCING before displaying the team sync button.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
fix(ui): ensure logout redirects to signin on network error (PROJQUAY-9792)
When the logout API call fails due to network error, the UI now properly
redirects to the signin page and clears the client-side session. Previously,
the user would be stuck on the current page with an error modal.
Changes:
- Move redirect and cleanup to finally block in logout handler
- Add optional chaining to user.username to prevent undefined errors
- Remove unused addDisplayError import
- Add comprehensive Cypress e2e tests for logout functionality
The finally block ensures client-side logout always succeeds, even when
the server is unreachable, improving security and user experience.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
Stripe and StatusPage scripts were hardcoded in index.html, causing
85-second delays in air-gapped/restricted networks as browsers waited
for connection timeouts.
Created useExternalScripts hook to dynamically load scripts only when
BILLING feature is enabled. Scripts load asynchronously to prevent
blocking page render. On-premise deployments (BILLING=false) no longer
make external requests.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Previously only organizations and the logged-in user showed avatars.
Now all users and superusers display avatars by passing avatar data
from the API response through component props.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
Organization and user quota settings pages are view-only, but were
displaying an empty "Add Limit" form row with disabled controls.
This creates visual clutter and implies users can add limits when
they cannot.
Conditionally render the "Add Limit" card only when !isReadOnly to
match the behavior of the old Angular UI. Update Cypress tests to
verify the form does not exist (not just disabled) in view-only mode.
fix(web): prevent redirect to signin after OIDC username confirmation (PROJQUAY-9835)
When users authenticated via OIDC and confirmed their username, they were
incorrectly redirected back to the signin page instead of the home page.
This occurred because the OAuth flow stored the signin page URL in localStorage
as the redirect target. After username confirmation, the app would read this
stored URL and redirect back to signin, creating a loop.
The fix checks if the stored redirect URL contains '/signin' and navigates to
the home page instead.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* fix(web): validate quota value input accepts only numbers (PROJQUAY-9837)
Changed Storage Quota input from type="text" to type="number" to prevent
non-numeric characters from being entered. Also enhanced validation to
catch edge cases where parseFloat could incorrectly parse mixed values
like "300xxxx" as 300.
Co-authored-by: Claude <noreply@anthropic.com>
* chore: move quota test seeding
locally the test goes from 8 minutes to 55 seconds :)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
When updating mirroring configuration fields like tag patterns, credentials
were being cleared because the password field is empty by default for security.
Modified UseMirroringConfig to conditionally exclude credentials from the
update payload when the password field is empty and updating existing config.
This matches the Angular UI behavior where only changed fields are sent.
Added Cypress tests to verify credentials are preserved when updating other
fields without changing the password, and that credentials are included when
explicitly updated.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* ui: redirect new UI super user for fresh login when authentication type is OIDC (PROJQUAY-9748)
* test(ui): Fix Cypress tests for fresh login OIDC flow (PROJQUAY-9748)
- Fixed incorrect API endpoint (/api/v1/superuser/logs* instead of /api/v1/superuserlogs**)
- Fixed incorrect route (/usage-logs instead of /superuser/usagelogs)
- Added proper authentication setup using cy.loginByCSRF
- Used fixtures (config.json, superuser.json) following existing test patterns
- Simplified tests to 3 critical cases: OIDC redirect, query param preservation, Database modal
---------
Co-authored-by: harishsurf <hgovinda@redhat.com>
adds two new static information pages to the React UI:
- /about page with company info cards and bill-of-materials table
- /security page with security practices and features documentation
implementation includes:
- PatternFly components for consistent UI design
- sortable/filterable packages table with pagination
- actual CoreOS and Red Hat logos
- nginx routing configuration for new paths
- webpack config updates to handle image assets from src/assets
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Implement RFC 6749 Section 10.12 compliant state parameter to prevent
CSRF attacks in OAuth token generation flow.
Changes:
- Generate cryptographically secure state using crypto.randomUUID()
- Store state in sessionStorage before OAuth redirect
- Parent window validates state from popup via postMessage
- Read state from query params (backend echoes it back)
- Display security error for invalid/missing state
- Add Cypress tests for state validation and CSRF protection
Security Impact:
- Prevents CSRF token theft and session fixation attacks
- Complies with OAuth 2.0 security best practices
- React UI only; Angular UI remains unchanged
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* fix(ui): Enable organization/user visibility for read-only superusers (PROJQUAY-6882)
Users listed under GLOBAL_READONLY_SUPER_USERS can now see all
organizations and users in the UI, matching regular superuser visibility
with read-only restrictions on actions.
- Update UseCurrentUser to include global_readonly_super_user in isSuperUser check
- Add Cypress tests for read-only superuser visibility and action restrictions
- Settings column actions correctly hidden via existing canModify permission
* fix(ui): Add global_readonly_super_user field to API responses (PROJQUAY-6882)
- Add global_readonly_super_user field to user API response in endpoints/api/user.py
- Allow read-only superusers to view organization teams in endpoints/api/organization.py
- Allow read-only superusers to view robot permissions in endpoints/api/robot.py
* fix(ui): Prevent read-only superusers from deleting orgs/users
Security fix: Read-only superusers should not be able to delete
orgs or users they don't own, even though they can view them.
* Fix inline import + incorrect assert + add codecov tests
---------
Co-authored-by: Claude <noreply@anthropic.com>
The superuser build logs feature was calling only
/api/v1/superuser/<build_uuid>/build which returns build metadata but
NOT logs. Logs are available from a separate
/api/v1/superuser/<build_uuid>/logs endpoint that must be called
separately.
Updated fetchBuildLogsSuperuser() to fetch both endpoints in parallel
using Promise.all and merge the results. This matches the behavior of
the old AngularJS UI which called both endpoints separately.
Updated Cypress tests to mock both API endpoints.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
React-markdown v10.x no longer reliably passes the inline prop to
custom code components. Changed detection to check for newlines in
code content instead, which correctly distinguishes inline code from
code blocks.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
